Service tagging optimization for intent-based networking

ABSTRACT

A method is performed to provide assurance for a service enabled on a network. A definition of the service is received. The definition includes a service type, a service instance, and configuration information used to enable the service. From the service type and the service instance, a service tag that is unique to the service is generated so as to distinguish the service from other services on the network. Based on the definition, the service is decomposed into a subservice dependency graph of subservices and dependencies between the subservices. Based on the subservice dependency graph, the subservices are configured to record and report subservice metrics indicative of health states of the subservices. The subservice metrics are obtained from the subservices. The service tag is applied to the subservice metrics to produce service-tagged subservice metrics. The service-tagged subservice metrics are analyzed to determine a health state of the service.

TECHNICAL FIELD

The present disclosure relates to assurance of services enabled on networks.

BACKGROUND

A compulsory step for intent-based networking involves closing a loop with telemetry for service assurance. Discovering whether a service fulfills its service level agreement (SLA) is relatively easy when monitoring synthetic traffic mimicking the service. However, such an over-the-top mechanism only provides SLA compliance results that considers a network on which the service is enabled as a “black box,” without knowledge of inner workings or low-level components of the service. Therefore, a network operator tasked with the monitoring of the service has limited or no insights on which specific degraded or faulty network components/features are responsible for service degradation. This issue is particularly difficult when the network is composed of heterogeneous network components. Telemetry exists today to report operational information, but an issue arises in that telemetry from network devices in the network does not provide service context information. Hence, troubleshooting the service based on the telemetry is very complex, with, on one side, the service information, and on another side, network device-specific telemetry information.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a network service assurance system or architecture (also referred to as a “service assurance system”), according to an example embodiment.

FIG. 2A is a block diagram that shows additional details of an assurance orchestrator, a representative assurance agent, and a representative network device of the service assurance system, according to an example embodiment.

FIG. 2B is a block diagram that shows a distributed arrangement of assurance agents and network devices of the service assurance system, according to an example embodiment.

FIG. 3 is an illustration of service configuration information for a first network device and an interface on the first network device for a specific service, according to an example embodiment.

FIG. 4 is an illustration of service configuration information for a second network device and an interface on the second network device for the specific service, according to an example embodiment.

FIG. 5 is an illustration of service configuration information for a first cross-connect (xconnect) associated with the second network device for the specific service, according to an example embodiment.

FIG. 6 is an illustration of a subservice dependency graph, in an example form of a subservice dependency tree, for a service, according to an example embodiment.

FIG. 7 is an illustration of a generalized heuristic package generated based on a subservice dependency graph, according to an example embodiment.

FIG. 8 is an illustration of a heuristic package for a network device used by a service, according to an example embodiment.

FIG. 9 is an illustration of a heuristic package for a network protocol implemented on a network device used for the service, according to an example embodiment.

FIG. 10 is an illustration of a user interface (UI) generated for display by assurance collectors of the service assurance system based on an analysis of service-tagged subservice metrics belonging to a specific service, according to an example embodiment.

FIG. 11 is an illustration of UI generated for display by the assurance collectors based on an analysis of service-tagged subservice metrics for multiple services, according to an example embodiment.

FIG. 12 is an illustration of a monitoring object used to configure a subservice of a service, according to an example embodiment.

FIG. 13 is an illustration of a service-tagged subservice metrics in a form of a telemetry object corresponding to the monitoring object, according to an example embodiment.

FIG. 14 is a flowchart of a method of performing assurance for a service enabled on a network, according to an example embodiment.

FIG. 15 is a hardware block diagram of an example computer system of a network orchestrator and an assurance entity, representative of one or more of an assurance orchestrator, assurance agents, and assurance collectors of the service assurance system, according to an example embodiment.

FIG. 16 is a block diagram of a network device on which a subservice may be implemented, according to an example embodiment.

DESCRIPTION OF EXAMPLE EMBODIMENTS Overview

A method is performed at one or more entities configured to provide assurance for a service enabled on a network. A definition of the service is received. The definition includes a service type, a service instance, and configuration information used to enable the service. From the service type and the service instance, a service tag that is unique to the service is generated so as to distinguish the service from other services on the network. Based on the definition, the service is decomposed into a subservice dependency graph of subservices and dependencies between the subservices that collectively enable the service. Based on the subservice dependency graph, the subservices are configured to record and report subservice metrics indicative of health states of the subservices. The subservice metrics are obtained from the subservices. The service tag is applied to the subservice metrics to produce service-tagged subservice metrics. The service-tagged subservice metrics are analyzed to determine a health state of the service.

EXAMPLE EMBODIMENTS

Service Assurance for Intent-Based Networking (SAIN)

With reference to FIG. 1, there is a block diagram of an example network service assurance system or architecture 100 (also referred to herein as a “service assurance system” 100). Service assurance system 100 may provide service assurance for intent-based networking (SAIN), for example. The service assurance system 100 leverages programming capabilities of network devices in the intent-based network (also referred to as a “service network” or simply a “network”), and model/event driven metrics in telemetry obtained from the network devices, to deliver end-to-end service assurance for various services. Service assurance system 100 includes a network orchestrator (NO) 102, service operators 104 to provide instructions to the network orchestrator 102, an assurance orchestrator 106 that communicates with the network orchestrator 102, assurance agents 108(1)-108(M) (collectively, “assurance agents” 108) that communicate with the assurance orchestrator 106, assurance collectors 110 that communicate with the assurance agents 108 and the service operators 104, and network devices 112(1)-112(N) (collectively, “network devices” 112) that communicate with the network orchestrator 102 and the assurance collectors 110. Network orchestrator 102 configures network devices 112(1)-112(N) to implement an intent-based service network 113 enabled to provide a variety of services to end users. Network devices 112 may include routers, switches, gateways, and other network devices (physical or virtual). Assurance orchestrator 106, assurance agents 108, and assurance collectors 110 are generally referred to as one or more “assurance entities” (or simply “entities”) configured to provide assurance for services on a network.

Network orchestrator 102 may include applications and/or services hosted on one or more server devices (more simply referred to as servers), for example, in a cloud-based data center. Assurance orchestrator 106 may also include applications and/or services hosted on one or more server devices, which may be the same as or different from the servers used by network orchestrator 102. Similarly, assurance collectors 110 may also include applications and/or services hosted on one or more servers, which may be the same as or different from the servers used by assurance orchestrator 106. In an embodiment, assurance collectors 110 are applications integrated into assurance orchestrator 106. Assurance agents 108(1)-108(N) may each include applications and/or services hosted on one or more servers, and may be distributed geographically to be near respective ones of network devices 112(1)-112(N) enabled for services to be monitored under control of the assurance agents. Network orchestrator 102, assurance orchestrator 106, assurance agents 108, assurance collectors 110, and network devices 112 may communicate with each other over one or more communication networks, including one or more wide area networks (WANs), such as the Internet, and one or more local area networks (LANs).

In the example of FIG. 1, service assurance system 100 supports multiple services, including service 1 and service 2 (collectively, “the services”). To this end, service operators 104 include a service 1 operator for service 1 and a service 2 operator for service 2, and assurance collectors 110 include a service 1 collector for service 1 and a service 2 collector for service 2. Service operators 104 (e.g., service 1 operator and service 2 operator) provide to network orchestrator 102 network and service intent-based instructions to setup/configure the services (e.g., service 1 and service 2) for end users. Service operators 104 also receive requests for assurance (e.g., “get assurance” requests) for the services from assurance collectors 110 (e.g., service 1 collector and service 2 collector), and forward the requests to network orchestrator 102.

Responsive to the aforementioned instructions and the requests sent by service operators 104, network orchestrator 102 derives and sends to network devices 112 intent-based network device configuration information 114 to configure the network devices/service network 113 for the services (e.g., for service 1 and service 2). In addition, network orchestrator 102 derives and sends to assurance orchestrator 106 service configuration information 116 for providing assurance for the services (e.g., service 1 and service 2) enabled on service network 113. Service configuration information 116 includes, for each service deployed or implemented on service network 113, respectively, a definition of the service, including a service type (e.g., a type of network connectivity), a service instance (e.g., an identifier or name of the service), and configuration information that describes how the service is actually implemented of service network 113. That is, the definition of the configuration of the service is reflective of how the service is instantiated as a collection of the subservices in service network 113.

For network device configuration information 114, network orchestrator 102 may employ, for example, the Network Configuration Protocol (NETCONF) (or, similarly, Representational State Transfer (REST) Configuration (RESTCONF)) to push intent-based network device configuration objects, such as Yet Another Next Generation (YANG) models or objects, to network devices 112. Similarly, for services configuration information 116, network orchestrator 102 may also employ, for example, NETCONF to push intent-based service configuration YANG objects to assurance orchestrator 106. YANG is a data modeling language used to define data sent over a NETCONF compliant network to configure resources. NETCONF are used to install, manipulate, and delete configurations of the resources, while YANG is used to model both configuration and state data of the resources. YANG models/objects used to implement embodiments presented herein may include YANG models/objects extended to include service-specific metadata annotations in accordance with RFC 7952, for example, or any other format that may be the subject of a future standard.

Assurance Orchestrator

Assurance orchestrator 106 operates as a central controller for assurance of the services deployed on service network 113. That is, assurance orchestrator 106 employs “service awareness” to control assurance for the services deployed on service network 113. In this role, assurance orchestrator 106 performs several main operations. First, assurance orchestrator 106 generates, from the service type and the service instance in the definition of each service defined in service configuration information 116, a unique service tag for the service. In an example, the service tag for a given service may be a tuple that includes the service type and the service instance from the definition of the given service. The service tag may be used to distinguish the service to which it pertains from all other services.

Second, assurance orchestrator 106 decomposes the definition of each service defined in service configuration information 116 into a respective subservice dependency graph of subservices and dependencies/interdependencies between the subservices that collectively (actually) implement the service on a network. That is, assurance orchestrator 106 dissects each service into the respective subservice dependency graph. The subservice dependency graph includes (subservice) nodes that represent the subservices and links between the nodes that represent the dependencies between the subservices. The subservice dependency graph may include the service type and the service instance (e.g., the service tag) for the service represented by the subservice dependency graph. To assist with the aforementioned decomposition, assurance orchestrator 106 may poll or query various network devices identified in the definition to discover subservices, such as packet routing protocols, implemented on the network devices and that are to be incorporated into the subservice dependency graph.

In a non-limiting embodiment, the subservice dependency graph includes a subservice dependency tree having a root node that represents the services, and nodes that represent the subservices and that have parent-child relationships (i.e., the dependencies) between the nodes/subservices that lead back to the root node. An example of a subservice dependency tree is described below in connection with FIG. 6. Other types of graph constructs/data structures may be used to represent the subservice dependency graph, as would be appreciated by one of ordinary skill in the art having read the present application.

Third, assurance orchestrator 106 derives from each subservice dependency graph a respective set of heuristic packages for the service described by the subservice dependency graph. The heuristic packages (i) specify/define service-related metrics (i.e., subservice metrics) to be monitored/recorded and reported by the subservices, and that are indicative of health statuses/states of the subservices, i.e., that are indicators of health states of the subservices, (ii) include rules to determine/compute key performance (KPIs) including the health states of the subservices (also referred to individually as a “subservice health state,” and collectively as “subservice health states”) based on the subservice metrics as recorded and reported, and (iii) which sensor paths (i.e., telemetry paths) are to be enabled for reporting telemetry, i.e., to report the subservice metrics recorded by the subservices from the subservices. The heuristic packages may also include or be associated with the service tag for the service to which the heuristic packages correspond. Assurance orchestrator 106 employs the heuristic packages to configure assurance agents 108 to monitor the subservices of the services, and to compute the health states of the subservices based on the monitoring, as described below.

Fourth, assurance orchestrator 106 provides to assurance agents 108 assurance agent configuration information 118 including the heuristic packages and their corresponding service tags in association with each other. Assurance orchestrator 106 may employ NETCONF to push the heuristic packages as YANG objects to assurance agents 108. Assurance orchestrator 106 may also provide the subservice dependency graphs to assurance collectors 110 in assurance collector configuration information 119.

Assurance Agents

Assurance agents 108 act as intermediary assurance devices between network devices 112, assurance collectors 110, and assurance orchestrator 106. More specifically, assurance agents 108 translate assurance agent configuration information 118, including the heuristic packages, to telemetry configuration information 120, and provide the telemetry configuration information to network devices 112, to configure the network devices 112 to record and report the subservice metrics mentioned above. For example, assurance agents 108 generate monitoring objects that define the subservice metrics to be recorded and reported by the subservices, and provide the monitoring objects to the subservices in telemetry configuration information 120, to configure the subservices to record and report the subservice metrics. Assurance agents 108 may maintain associations/bindings or mappings between the heuristic packages, the monitoring objects generated by the heuristic packages, and the services (e.g., service tags) to which the heuristic packages and the monitoring objects pertain. Assurance agents 108 may employ NETCONF (or RESTCONF), for example, to push YANG monitoring objects to network devices 112.

In response to receiving the monitoring objects in telemetry configuration information 120, network devices 112 record the subservice metrics specified in the monitoring objects, and report the subservice metrics (labeled as “metrics” 122 in FIG. 1) back to assurance agents 108 in telemetry streams. In an example, the telemetry streams carry subservice metrics 122 in telemetry objects corresponding to the monitoring objects, as described below in connection with FIG. 2B. In turn, assurance agents 108 tag subservice metrics 122 with service tags to indicate which of the subservice metrics are associated with/belong to which of the services, to produce service-tagged subservice metrics 124 (labeled “tagged metrics” in FIG. 1). In other words, assurance agents 108 apply the service tags to the subservice metrics for the services to which the service tags belong. In the example in which subservice metrics 122 are carried in telemetry objects, assurance agents 108 tag the telemetry objects with the service tag to produce service-tagged telemetry objects). Thus, the service tags provide service context to the subservice metrics.

In one embodiment, assurance agents 108 do not perform any specific analysis on the subservice metrics, leaving such analysis to assurance collectors 110 and/or assurance orchestrator 106. In another embodiment, assurance agents 108 perform analysis on subservice metrics 122 as instructed by the heuristic packages, to produce health states of the subservices (e.g., KPIs used as indicators of health states of the subservices) to which the subservice metrics pertain. Assurance agents 108 provide to assurance collectors 110 service-tagged subservice metrics 124, along with health states of the subservices when computed by the assurance agents. For example, assurance agents 108 provide flows of service-tagged subservice metrics tagged with service tag 1 to indicate service 1 to service 1 collector, and service-tagged subservice metrics tagged with service tag 2 to indicate service 2 to service 2 collector. Assurance agents 108 may also provide service-tagged subservice metrics 124 to assurance orchestrator 106.

Assurance Collectors

Assurance collectors 110 receive/collect service-tagged subservice metrics 124, and health states of the subservices when available, from assurance agents 108 for various services, as uniquely identified by the service tags with which the subservice metrics are tagged. Assurance collectors 110 associate service-tagged subservice metrics 124 with respective ones of the various services based on the service tags. Assurance collectors 110 determine a respective overall health state of each service based on the health states of the subservices of the service, as indicated by the service-tagged subservice metrics and their KPIs/health states. When assurance agents 108 do not provide to assurance collectors 110 health states of the subservices along with service-tagged subservice metrics 124, assurance collectors 110 compute the health states of the subservices from the service-tagged subservice metrics 124 as instructed by corresponding ones of the heuristic packages (e.g., by the heuristic packages tagged with the same service tag as the subservice metrics).

NETCONF/YANG (Object-Based) Implementation in Assurance System

With reference to FIG. 2A, there is a block diagram that shows additional details of assurance orchestrator 106, assurance collectors 110, a representative assurance agent (e.g., assurance agent 108(1)), and a representative network device (e.g., network device 112(1)) from FIG. 1A. Assurance collector 110 includes pipeline analytics 202 to analyze service-tagged subservice metrics 124 including the KPIs (if any) from assurance agents 108, to determine health states of the subservices and then service health states based on the health states of the subservices.

Assurance agent 108(1) includes a NETCONF agent 206, a telemetry consumer 208, a telemetry producer 210, and plugins 211. Plugins 211 provide various functional capabilities to assurance agent 108(1) to assist with tasks/operations performed by the assurance agent, including communicating with entities external to the assurance agent. Examples of plugins 211 include, but are not limited to, one or more of the following: a command line interface (CLI) plugin P1; a Simple Network Management Protocol (SNMP) plugin P2; an Internet Protocol (IP) service-level agreement (SLA) plugin P3; a NetFlow™ protocol plugin to communicate with NetFlow-enabled network devices P4; an in-situ operations, administration, and maintenance (IOAM) plugin P5 to provide real-time telemetry of individual data packets and flows; application programming interfaces (APIs) P6; and Layer Independent OAM Management in the Multi-Layer Environment (LIME) P7.

NETCONF agent 206 digests heuristic packages 204 sent by assurance orchestrator 106. NETCONF agent 206 generates monitoring objects (in telemetry configuration information 120) as network device configuration YANG objects based on the heuristic packages, and pushes the monitoring objects to network device 112(1) to configure the network device for model-driven telemetry (MDT) used to report recorded subservice metrics. NETCONF agent 206 may include in the monitoring objects respective identifiers of the subservices to which the monitoring objects pertain (e.g., an identifier of network device 112(1), since the network device is a subservice), and the service tag for the service to which the subservice pertains. Telemetry consumer 208 receives from network device 112(1) subservice metrics 122 recorded in (model-driven) telemetry objects corresponding to the monitoring objects. The telemetry objects include the subservice metrics, the identifier of the subservice (e.g., the identifier of network device 112(1)) to which the subservice metrics pertain, and may also include the service tag copied from the corresponding monitoring object. Telemetry consumer 208 passes the (received) telemetry objects to telemetry producer 210. Telemetry producer 210 tags the (received) telemetry objects with service tags, as mentioned above, and sends resulting service-tagged telemetry objects (representing service-tagged subservice metrics 124) to assurance pipeline analytics 202 of assurance collectors 110, and optionally to assurance orchestrator 106. Telemetry producer 210 may also copy into the service-tagged telemetry objects any KPIs/health states of subservices computed by assurance agent 108(1) in the embodiment in which the assurance agent computes that information.

Network device 112(1) includes a NETCONF agent 220 and an MDT producer 222. NETCONF agent 220 receives network device configuration information 114 from network orchestrator 102 and configures subservice(s) on network device 112(1) based on the network device configuration information. NETCONF agent 220 also receives the monitoring objects from NETCONF agent 206, and configures the network device, including MDT producer 222, based on the monitoring objects. MDT producer 222, records its local subservice metrics and its subservice identifier in telemetry objects as instructed by the monitoring objects, and may optionally include the corresponding service tags in the telemetry objects, and reports the telemetry objects to telemetry consumer 208.

Distributed Assurance System

With reference to FIG. 2B there is a block diagram that shows an example of a distributed arrangement of assurance agents 108 and network devices 112 of service assurance system 100. In the example of FIG. 2B, assurance agent 108(1) is co-located with network devices 112(1)-112(3) at a first geographical location and assurance agent 108(2) is co-located with network devices 112(4)-112(6) at a second geographical location separated from the first geographical location. Service 1 (see FIG. 1) may be implemented on network devices 112(1)-112(3), and Service 2 may be implemented on network devices 112(4)-112(6). Geographically distributed assurance agents 108(1) and 108(2) report their service-tagged telemetry objects to centralized assurance agent 108(3), which forwards the service-tagged subservice metrics to assurance collector 110.

Examples of service configuration information 116 for a service instance “xyz” (e.g., for a customer xyz) of service type Layer 2 (L2) virtual private network (VPN) L2VPN, which is a peer-to-peer (p2p) connectivity type (i.e., L2VPN-p2p), are now described with reference to FIGS. 3-5. In FIGS. 3-5, the example service configuration information is represented as eXtensible Markup Language (XML) encoding of YANG models.

Service Configuration Information/Definition Examples

With reference to FIG. 3, there is an illustration of first example service configuration information 300 for a first network device and an interface of service instance xyz. More specifically, lines 302 introduce a “GigabitEthernet” interface for/on a first provider edge (PE) network device “sain-pe-1” (e.g., a router) for service instance xyz of type “12vpn” indicated at line 304. As indicated at lines 302, first network device sain-pe-1 is running an XR operating system, by Cisco. Line 306 provides an identifier “0/0/0/3” for the GigabitEthernet interface. Line 308 defines a maximum transmission unit (MTU) for the interface. Groups of lines 310 and 312 define parameters for IPv4 and IPv6 addresses configured on the interface.

With reference to FIG. 4, there is an illustration of second example service configuration information 400 for a second network device of service instance xyz. More specifically, lines 402 introduce a second PE network device “sain-pe-2” (e.g., a router) for service instance xyz of type “12vpn” indicated at line 406. Line 408 defines a Quality-of-Service (QoS) classification, as default, for traffic handled by the network device sain-pe-2. Alternatively, or additionally, service configuration information 400 may define a Quality-of-Experience (QoE) classification. Lines 410 define a policy rate for network device sain-pe-2.

With reference to FIG. 5, there is an illustration of third example service configuration information 500 for a first cross-connect (“xconnect”) associated with second network device sain-pe-2 for service instance xyz. An “xconnect” is a Layer-2 pseudowire (L2 PW) used to create Layer 2 VPNs (L2VPNs). Examples of xconnects are provided at https://www.amazon.com/Layer-VPN-Architectures-Networking-Technology-ebook/dp/B0051TM5BM, authored by C. Pignataro. In the present context of service assurance, “xconnect” refers to a syntax of a command used to realize the pseudowire in, for example, a Cisco internetwork operating system (IOS)-XR/IOS-XE operating system.

Lines 502 associate second network device sain-pe-2 with service instance xyz. Lines 504 define the first xconnect, which is associated with a GigabitEthernet subinterface 0/0/0/2.600 at line 506 and with an IPv4 address 192.168.0.17 at line 508.

Subservice Dependency Graph Example

With reference to FIG. 6, there is an illustration of an example subservice dependency graph in the form of a subservice dependency tree 600 for service L2VPN-p2p, meaning a Layer 2 VPN for a peer-to-peer connection. Subservice dependency tree 600 (or “tree” for short) includes a service node A-1 at a highest level of the tree. Service node A-1 identifies/represents the service by a service tag tuple that includes service type and service instance, e.g., tuple <service type, service instance>. In the example of FIG. 6, service node A-1 represents service <L2VPN-p2p, xyz>. Lower levels of tree 600 are populated with subservice nodes (shown as boxes) that identify/represent respective subservices of the service <L2VPN-p2p, xyz>, and that connect back to service node A-1 through subservice dependencies or parent-child links (shown as lines connecting boxes that depend on each other). Each of the subservice nodes includes an identifier (e.g., a plain text identifier, as depicted in FIG. 6) of the subservice represented by that subservice nodes. In the example of FIG. 6, the lower levels of tree 600 include:

-   -   a. A second level that includes subservice nodes B-1 and B-2 for         xconnect subservices implemented on network devices sain-pe-1         and sain-pe2;     -   b. A third level that includes a subservice node C-1 for an L3         network connectivity subservice with components on network         devices sain-pe-1 and sain-pe2.     -   c. A fourth level that includes subservice nodes D-1 and D-2 for         routing protocol subservices (e.g., Intermediate System to         Intermediate System (IS-IS)) on network devices sain-pe-1 and         sain-pe-2.     -   d. A fifth level that includes subservice nodes E-1 and E-2 for         subinterface subservices on network devices sain-pe-1 and         sain-pe-2.     -   e. A sixth level that includes subservice nodes F-1-F-8 for         interface subservices on network devices sain-pe-1 or sain-pe-2,         as indicated.     -   f. A seventh level that includes subservice nodes G-1-G3 for         network devices sain-pe-1 and sain-pe-2 as subservices as         indicated.

In one example branch of subservice dependency tree 600, service <L2VPN-p2p, xyz> depends on the subservice of subservice node B-1, which depends on the subservice of subservice node E-1, which depends on the subservice of subservice node F-2, and so on down the levels of the tree. As indicated by the subservice links, a given subservice may depend on multiple other subservices. Traversing the levels of tree 600 downward from the highest level to the lowest level of the tree, the subservices of service <L2VPN-p2p, xyz> include network xconnects on network devices (e.g., on sain-pe-1 and sain-pe-2), L3 network connectivity on the network devices (L2 network connectivity on the network devices may also be a subservice), routing protocols on the network devices, interfaces of the network devices, subinterfaces of the network devices, and the network devices themselves.

Generally, the subservices include: xconnects on network devices; L1 (e.g., optical), L2, and L3 network connectivity on the network devices; routing protocols on the network devices; interfaces of the network devices; subinterfaces of the network devices; communication behavior of the interfaces and the subinterfaces; the network devices themselves and operations performed on/by the network devices. Subservices also include logical network functions and groupings of logical and physical elements, such as: ECMP/ECMP groups of network devices; network tunnels; link protection functions executing in a network; network device protection functions executing in a network; and logical overlays on a physical network.

Logical overlays may include: link aggregation for a link aggregation group (LAG); Virtual Extensible (Vx) LAN (VxLAN); VxLAN-Generic Protocol Extension (GPE); Generic Routing Encapsulation (GRE); service function chaining (SFC) functionality including Network Service Header (NSH) implementation; and Multiprotocol Label Switching (MPLS); for example. The subservices may also include applications such as application categorization as per RFC 6759. The subservices may also include one or more multicast subnets on network devices.

Heuristic Packages

Examples heuristic packages are now described in connection with FIGS. 7-9.

With reference to FIG. 7, there is an illustration of an example generalized heuristic package 700 generated based on a subservice dependency graph. Heuristic package 700 includes a header 702 that identifies a subservice of the subservice dependency graph that is targeted by the heuristic package, and an overall function for which the heuristic package is to be used. For example, header 702 may identify any specific one of xconnect, L3 connectivity, routing protocol, subinterface, interface, or network device, and the header may specify that the heuristic package is to be used to determine a health of the indicated subservice.

Heuristic package 700 may include arguments 704, which indicate various conditions under which the heuristic package is to be used, such as a time duration over which the subservice is to be monitored. Heuristic package 700 also includes expressions 706, which include measure 708 and compute 710. Measure 708 specifies subservice metrics of the subservice that are to be recorded. For example, for a network device subservice, the subservice metrics may include central processor unit (CPU) usage, free memory, temperature, power, and the like. For an interface of the network device, the subservice metrics may include traffic rate, and so on. Compute 710 provides rules and/or instructions to compute KPIs based on the subservice metrics, and instructions to determine a health state for the subservice, such as thresholds against which computed values are to be compared to determine the health state.

Compute 710 may include rules to compute a health state that is binary, i.e., a health state that indicates either a passing health state when the subservice is operating properly (e.g., meets a desired performance level) or a failing health state (which is a degraded health state) when the subservice is not operating properly (e.g., does not meet the desired performance level). Alternatively, the rules may compute a health state that is graded, i.e., a health state that indicates a health state within a range of possible health states from passing to failing, e.g., including a passing health state, a failing health state, and a degraded health state that is not a passing health state or a failing health state (in this case, degraded means between passing and failing). In an example, the health states may include the following computed health state values: failing=0, 0<degraded <1, passing=1.

With reference to FIG. 8, there is an illustration of an example heuristic package 800 for a network device subservice. Heuristic package 800 includes header 802 and arguments 804. Heuristic package 800 includes compute 806 a to compute health indicators (KPIs) for a flash disk, flash, a hard disk, and storage, generally. For example, compute 806 a includes rules to set the health state to indicate a degraded health state if memory of a flash disk is full, and further rules to evaluate the following Boolean operation: flash_disk_free/flash_disk size >0.05, and so on. Heuristic package 800 includes measure 808 that lists power metrics to be measured (e.g., power demand), and compute 806 b to compute health states based on the power metrics. Heuristic package 800 also includes compute 806 c to compute an overall health state (KPI) for the network device based on values computed in prior computes 806 a and 806 b. That is, compute 806 c defines a rule expression to evaluate the overall health state of the subservice based on the subservice metrics and the computed (intermediate) values mentioned above.

With reference to FIG. 9, there is an illustration of an example heuristic package 900 for a network protocol (e.g., IS-IS) subservice implemented on a network device. Heuristic package 900 includes header 902 and arguments 904. Heuristic package 900 includes measure 906 to measure metrics associated with IS-IS, including to determine lists of valid IPv4 and IPv6 IS-IS routes on the network device (e.g., from a forwarding or routing table in the network device). Heuristic package 900 includes compute 908 to compute KPIs that include various counts and stabilities of the IPv4 and the IPv6 IS-IS routes based on the metrics from measure 906, and to compute an overall health state 910, which is also a KPI, for IS-IS based on previously computed values/KPIs.

Assurance Collector Operations and User Interfaces

Further operations of assurance collectors 110 are now described in connection with FIGS. 10 and 11, and with reference again to FIG. 1A. As mentioned above, assurance collectors 110 receive/collect service-tagged subservice metrics 124 from assurance agents 108 for various services, subservice dependency graphs for the various services, and heuristic packages for the various services. The subservice dependency graphs each includes the service tag for the service to which the subservice dependency graph pertains. The heuristic packages each includes the service tag to which the heuristic package pertains. Assurance collectors 110 associate all service-tagged subservice metrics 124 (and health states of subservices when available) tagged with a given service tag to the subservice dependency graphs that includes the given service tag, and to the heuristic packages that include the given service tag. In other words, assurance collectors 110 associate all service-tagged metrics 124 (and health states of subservices), subservice dependency graphs, and heuristic packages that have a matching (i.e., the same) service tag to each other and to the service identified by that service tag.

For each service, assurance collectors 110 may populate the subservice dependency graph with corresponding health states of the subservices of the subservice dependency graph as represented by the service-tagged subservice metrics. For example, assurance collectors 110 may populate the nodes of a subservice dependency tree for the service with the health states of the subservices represented by the nodes. In an embodiment in which assurance agents 108 provide the health states of the subservices along with the service-tagged subservice metrics to assurance collectors 110, the assurance collectors may populate the subservice dependency tree with the provided health states. Alternatively, assurance collector 110 computes the health states of the subservices from the corresponding service-tagged metrics 124 in accordance with the corresponding heuristic packages, and then populates the subservice dependency tree with the health states as computed.

The resulting subservice dependency graph, populated with health states of the subservices, may be generated for display to an administrator in a graph form (e.g., tree) or otherwise, e.g., as a list of subservices for the service. Also, for each service, assurance collectors 110 may determine an overall health state of the service based on the health states of the subservices of the service. For example, if all of the subservices have health states that indicate passing health states, assurance collectors 110 may set the overall health state to indicate a passing overall health state. Alternatively, if the health states of one or more of the subservices indicate failing health states, assurance collectors 110 may set the overall health state to indicate a failing overall health state.

With reference to FIG. 10, there is an illustration of an example user interface (UI) 1000 generated for display by assurance collectors 110 responsive to collecting and analyzing service-tagged subservice metrics for the service L2VPN-p2p, xyz. UI 1000 includes subservice dependency tree 600 for the service, as described above, but with various subservices highlighted (e.g., with shaded) to indicate degraded health states (which may mean a failing health state or, alternatively, a degraded health state between failing and passing). Specifically, UI 1000 includes shading of subservices identified by subservice nodes E-1, F-4, and G-2, which indicates degraded health states for those subservices, i.e., assurance collectors 110 determined degraded health states of those subservices. Moreover, UI 1000 includes shading of the service L2VPN-p2p, xyz identified by service node A-1, which indicates a degraded overall health state of the service, i.e., assurance collectors 110 determined the degraded overall health state of the service based on the degraded health states of its subservices. In other example, different colors may distinguish passing health states (e.g., green) and degraded health states (e.g., orange).

UI 1000 also includes an information window or panel 1005 that provides health states and diagnostic information for the degraded subservices and the service.

With reference to FIG. 11, there is an there is an illustration of an example user interface (UI) 1100 generated for display by assurance collectors 110 responsive to collecting and analyzing service-tagged subservice metrics for multiple services. UI 1100 includes a panel 1102 that shows health states for two L1VPN-p2p services including service instances Customer A and Customer B, both degraded. UI 1100 includes a panel 1104 that shows health states for assurance agents 108. UI 1100 also includes a panel 1106 that indicates health states for Customer C and Customer D tunnel services, a panel 1108 that indicates a health state for a Customer E IPv6 service, and a panel 1110 that indicates a health state for a customer service.

Monitoring and Service-Tagged Telemetry Objects

With reference to FIG. 12, there is an illustration of an example monitoring object 1200. Monitoring object 1200 includes a subservice identifier (ID) 1202 and configuration information 1204. Configuration information 1204 may include YANG network device configuration information, for example, and identifies subservice metrics to be recorded and reported, in accordance with a heuristic package. Configuration information 1204 may include one or more configuration code snippets to configure a subservice, e.g., a network device, to perform the recording/reporting of the subservice metrics. For example, a heuristic package with instructions to monitor (memory) “space available” for MPLS in a network device running IOS-XR may result in the following command line interface (CLI) code snippet in a monitoring object destined for the network device:

CLIMetric:

-   -   Command: show resource detail,     -   regex_type: textfam,     -   regex: ios_xr/show_oef_rsource_detail.txt,     -   key: “space available”     -   filter:         -   “node”         -   “mpls”     -   postprocessing: convert2 byte (GetTuple (value, 0), GetTuple         (value, 1)

Alternatively, the monitoring object may include a YANG object that performs the same function as the CLI code snippet. Alternative, the monitoring object may include binary information such as a packet.

Monitoring object 1200 may also include a service tag for the service to which the subservice identified by the subservice ID pertains.

With reference to FIG. 13, there is an illustration of an example service-tagged telemetry object 1300. Service-tagged telemetry object 1300 includes a subservice identifier 1302, a service tag 1304, and information 1306. Information 1306 includes recorded/reported subservice metrics, computed values, and KPIs (including a health state of a subservice) in accordance with a heuristic package from which a corresponding monitoring object was generated.

Service Assurance Operational Flow

With reference to FIG. 14, there is a flowchart of an example method 1400 of performing assurance for a service enabled on a network. Method 1400 may be performed by a system including one or more entities to provide assurance for the service on the network. The one or more entities may include one or more of assurance orchestrator 106, assurance agents 108, and assurance collectors 110.

At 1402, a definition of a configuration of a service is received, e.g., by assurance orchestrator 106. The definition includes a service type, a service instance, and configuration information used to enable or implement the service in the network.

At 1404, a service tag is generated from the service type and the service instance. For example, assurance orchestrator 106 generates the service tag. The service tag identifies the specific instantiation of the service in the network, and is unique so as to distinguish the service from other services. The service tag may be a tuple that includes the service type and the service instance.

At 1406, based on the configuration information of the definition, the service is decomposed into a graph of subservices and dependencies between the subservices that collectively actually implement the service in the network. The service tag is applied to the subservice dependency graph. For example, assurance orchestrator 106 decomposes the service into the subservice dependency graph, and may provide the subservice dependency graph to assurance collectors 110.

At 1408, the subservices are configured to record and report subservice metrics indicative of health states of the subservices (e.g., a respective health state of each of the subservices) based on the subservice dependency graph. The health states may respectively indicate either a passing health state or a failing health state. Alternatively, the health states may respectively indicate a health state within a range of health states including a passing health state, a failing health state, and a degraded health state that is not a passing health state or a failing health state. Operation 1408 may include the following further operations:

-   -   a. Based on the subservice dependency graph, assurance         orchestrator 106 generates heuristic packages, typically one per         subservice, that specify the subservice metrics that the         subservices are to record and report, and include rules to         compute the health states of the subservices based on the         subservice metrics. Assurance orchestrator 106 provides to         assurance agents 108 the heuristic packages and the service tag.     -   b. Responsive to the heuristic packages, assurance agents 108         generate from the heuristic packages monitoring objects that         define the subservice metrics that the subservices are to record         and report, and provide the monitoring objects to the         subservices to configure the subservices to record and report         the subservice metrics.

At 1410, responsive to the configuring of 1408, the subservice metrics are obtained from the subservices. For example, responsive to the monitoring objects, the subservices record and then report to assurance agents 108 the subservice metrics in telemetry objects corresponding to the monitoring objects.

At 1412, the service tag is applied to the subservice metrics to produce service-tagged subservice metrics. For example, assurance agents 108 receive the telemetry objects, insert the service tag into the telemetry objects, and then send the (resulting) service-tagged telemetry objects to assurance collectors 110. Optionally, assurance agents 108 also analyze the subservice metrics to compute health states of the subservices in accordance with the rules in the heuristic packages, and insert the health states into the service-tagged telemetry objects before sending them to assurance collectors 110, which receive the service-tagged telemetry objects.

At 1414, the service-tagged subservice metrics are analyzed to determine a health state of the service. For example, assurance collectors 110 (i) associate the subservice metrics in the service-tagged telemetry objects with the service based of the service-tagged telemetry objects, (ii) analyze the subservice metrics to compute individual health states of the subservices (unless the health states are included with the service-tagged telemetry objects), e.g., one health state per subservice, based on the rules in the heuristic packages, and (iii) determine an overall health state of the service based on the individual health states of the subservices, which were associated with the service based on the service tags at (i). For example, if all of the health states of the subservices indicate passing health states, the overall health state may be set to indicate a passing overall health state. Alternatively, if one or more of the health states of the subservices indicate failing health states, the overall health state may be set to indicate a failing overall health state. Alternatively, if one or more of the health states of the subservices indicate degraded (not failing or passing) health states, and there are no failing health states, the overall health state may be set to indicate a degraded (not failing or passing) overall health state.

In addition, assurance collectors 110 populate indications of the subservices in the subservice dependency graph with their respective health states, and generate for display the populated subservice dependency graph to provide visual feedback. In various embodiments, operations performed by assurance collectors 110 as described above may be shared between the assurance collectors and assurance orchestrator 106. In another embodiment in which assurance collectors 110 are omitted, assurance agents 108 send service-tagged subservice metrics (and health states) directly to assurance orchestrator 106, and the assurance orchestrator performs all of the operations performed by the assurance collectors as described above. That is, assurance orchestrator 106 operates as the assurance orchestrator and assurance collectors 110.

In an environment that includes multiple services, method 1400 is performed for each service, by the one or more entities, to produce, for each service, respectively, a unique service tag, a subservice dependency graph, heuristic packages, monitoring objects, telemetry objects, tagged telemetry objects, health states of subservice, and an overall service health state. The one or more entities use the unique service tags to distinguish between the services and the aforementioned information generated for the services.

Computer System for Assurance Entities

With reference to FIG. 15, there is shown a hardware block diagram of an example computer system 1505 of network orchestrator 102 and a service assurance entity, such as one or more of assurance orchestrator 106, assurance agents 108, and assurance collectors 110. Computer system 1505, such as a server, includes one or more processors 1510, a network interface unit (NIU) 1512 (or multiple such NIUs), and a memory 1514. Memory 1514 stores control software 1516 (referred as “control logic”), that when executed by the processor(s) 1510, causes the computer system to perform the various operations described herein for the service assurance entity and for network orchestrator 102.

The processor(s) 1510 may be a microprocessor or microcontroller (or multiple instances of such components). The NIU 1512 enables computer system 1505 to communicate over wired connections or wirelessly with a network. NIU 1512 may include, for example, an Ethernet card or other interface device having a connection port that enables computer system 1505 to communicate over the network via the connection port. In a wireless embodiment, NIU 1512 includes a wireless transceiver and an antenna to transmit and receive wireless communication signals to and from the network.

The memory 1514 may include read only memory (ROM), random access memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physically tangible (i.e., non-transitory) memory storage devices. Thus, in general, the memory 1514 may comprise one or more tangible (non-transitory) computer readable storage media (e.g., memory device(s)) encoded with software or firmware that comprises computer executable instructions. For example, control software 1516 includes logic to implement operations performed by one or more (or all) of assurance orchestrator 106, assurance agents 108, assurance collectors 110, and network orchestrator 102. Thus, control software 1516 implements the various methods/operations described above. Control software 1516 also includes logic to implement/generate for display graphical user interfaces (GUIs) or, more generally, UIs, as necessary in connection with the above described methods/operations.

Memory 1514 also stores data 1518 generated and used by control software 1516, including network configuration information and service tags, subservice dependency graphs, heuristic packages, monitoring and telemetry objects, subservice metrics and service-tagged subservice metrics, health states and other KPIs, and so on, mappings between the aforementioned parameters stored in memory, and so on.

A user, such as a network administrator, may interact with computer system 1505, to receive reports, change algorithms, and so on, through GUIs by way of a user device 1520 (also referred to as a “network administration device”) that connects by way of a network with computer system 1505. The user device 1520 may be a personal computer (laptop, desktop), tablet computer, SmartPhone, and the like, with user input and output devices, such as a display, keyboard, mouse, and so on. Alternatively, the functionality and a display associated with user device 1520 may be provided local to or integrated with computer system 1505.

In other embodiments, the assurance entity may be implemented as one or more virtual machines (VMs) and or containers.

With reference to FIG. 16, there is a block diagram of an example network device 1600, representative of each of network devices 112. Network device 1600 comprises a network interface unit having a plurality of network input/output (I/O) ports 1642(1)-1642(P) to send traffic to one or more networks and receive traffic from the networks, a packet forwarding/processing unit 1643, a network processor 1644 (also referred to simply as “processor”), a management port 1645 to exchange control messages with other network devices and an administration function, and a memory 1646. The packet forwarding/processing unit 1643 is, for example, one or more application specific integrated circuits (ASICs) that include packet buffers, packet queues, and other control logic for performing packet forwarding operations. The processor 1644 may include multiple processors, which may be implemented as software or hardware processors. For example, processor 1644 may include a microcontroller or microprocessor that is configured to perform higher level controls of network device 1600. To this end, the memory 1646 stores software instructions that, when executed by the processor 1644, cause the processor 1644 to perform a variety of operations including operations described herein. For example, the memory 1646 stores instructions for control logic 1650 to perform operations described herein for recording and reporting of subservice metrics, and for configuring network device 1600 responsive to device configuration information 114. Control logic 1650 may also include logic components in packet forwarding unit 1643. Memory 1646 also stores data 1660 used and generated by logic 1650. Such data may include subservice metrics and device configuration information, for example, as described above.

In summary, embodiments presented herein, service assurance for intent-based networking (SAIN), for example, uses service tagging of subservice metrics recorded and reported by subservices of a service to help an assurance orchestrator/collector “find a needle in the haystack” with respect to identifying subservice problems that impact the service. This tagging helps the assurance orchestrator/collector assess all of the services that can be affected by particular telemetry data/sensor. The tagging facilitates specific export for data reduction, and filtering. The assurance orchestrator/collector can deterministically flag the services, including its subservices, which need user attention or can provide feedback for remediation. Example high-level operations include:

-   -   a. Get a service configuration from an assurance orchestrator.         The service configuration includes a service type and a service         instance.     -   b. Create a specific service tag from the service configuration,         e.g., <service type/service instance (e.g., identifier>tuple.     -   c. Using the service configuration, an assurance platform, e.g.,         the assurance orchestrator, decomposes the service into a series         of subservices for that specific service type/instance with         rules of heuristic packages.     -   d. Tag subservices metrics with the service tag.     -   e. To monitor a specific customer service instance, request all         tagged subservice metrics with the specific service tag.     -   f. When determining service performance based on key performance         indicators (KPIs), in case of service degradation/failure,         identify the specific component(s)/subservices that has failed         based on the service tag. Reconfigure the service (or network on         which the service is enabled) to avoid the fault component.

In one form, a method is provided comprising: at one or more entities configured to provide assurance for a service on a network: receiving a definition of the service, the definition including a service type, a service instance, and configuration information used to enable the service; generating from the service type and the service instance a service tag that is unique to the service so as to distinguish the service from other services on the network; based on the definition, decomposing the service into a subservice dependency graph of subservices and dependencies between the subservices that collectively enable the service; based on the subservice dependency graph, configuring the subservices to record and report subservice metrics indicative of health states of the subservices; obtaining the subservice metrics from the subservices; applying the service tag to the subservice metrics to produce service-tagged subservice metrics; and analyzing the service-tagged subservice metrics to determine a health state of the service.

In another form, an apparatus/system is provided comprising: one or more network interface units; and one or more processors coupled to the one or more network interface units and configured to provide assurance for a service on a network by: receiving a definition of the service, the definition including a service type, a service instance, and configuration information used to enable the service; generating from the service type and the service instance a service tag that is unique to the service so as to distinguish the service from other services on the network; based on the definition, decomposing the service into a subservice dependency graph of subservices and dependencies between the subservices that collectively enable the service; based on the subservice dependency graph, configuring the subservices to record and report subservice metrics indicative of health states of the subservices; obtaining the subservice metrics from the subservices; applying the service tag to the subservice metrics to produce service-tagged subservice metrics; and analyzing the service-tagged subservice metrics to determine a health state of the service.

In yet another form, a computer readable medium is provided. The computer readable medium stores instructions that, when executed by one or more processors coupled to one or more network interface units, cause the one or more processors to perform assurance for a service on a network by: receiving a definition of the service, the definition including a service type, a service instance, and configuration information used to enable the service; generating from the service type and the service instance a service tag that is unique to the service so as to distinguish the service from other services on the network; based on the definition, decomposing the service into a subservice dependency graph of subservices and dependencies between the subservices that collectively enable the service; based on the subservice dependency graph, configuring the subservices to record and report subservice metrics indicative of health states of the subservices; obtaining the subservice metrics from the subservices; applying the service tag to the subservice metrics to produce service-tagged subservice metrics; and analyzing the service-tagged subservice metrics to determine a health state of the service.

Although the techniques are illustrated and described herein as embodied in one or more specific examples, it is nevertheless not intended to be limited to the details shown, since various modifications and structural changes may be made within the scope and range of equivalents of the claims. 

What is claimed is:
 1. A method comprising: at one or more entities configured to provide assurance for a service on a network: receiving a definition of the service, the definition including a service type, a service instance, and configuration information used to enable the service; generating from the service type and the service instance a service tag that is unique to the service so as to distinguish the service from other services on the network; based on the definition, decomposing the service into a subservice dependency graph of subservices and dependencies between the subservices that collectively enable the service; based on the subservice dependency graph, configuring the subservices to record and report subservice metrics indicative of health states of the subservices by: generating monitoring objects that include the service tag and subservice identifiers, and define the subservice metrics the subservices are to record and report and providing the monitoring objects to the subservices to configure the subservices to record and report the subservice metrics; based on providing the monitoring objects to the subservices, receiving, from the subservices, telemetry objects that include the subservice metrics, the service tag, and the subservice identifiers; applying the service tag to the subservice metrics to produce service-tagged subservice metrics; and analyzing the service-tagged subservice metrics to determine a health state of the service.
 2. The method of claim 1, wherein the analyzing includes: associating the service-tagged subservice metrics with the service based on the service tag of the service-tagged subservice metrics; and determining the health state of the service based on the health states of the subservices.
 3. The method of claim 1, wherein: the subservice dependency graph includes a service node at a highest level of the subservice dependency graph, and the service node includes the service tag.
 4. The method of claim 1, wherein the generating the monitoring objects includes: generating heuristic packages that (i) specify the subservice metrics that the subservices are to record and report, and (ii) include rules to compute the health state of the subservices based on the subservice metrics; and generating the monitoring objects based on the heuristic packages.
 5. The method of claim 4, wherein the analyzing includes: computing the health states of the subservices from the service-tagged subservice metrics in accordance with the rules in the heuristic packages; and determining the health state of the service based on the health states of the subservices.
 6. The method of claim 1, wherein the monitoring objects are configured according to a Yet Another Generation (YANG) model, and the providing the monitoring objects to the subservices includes pushing the monitoring objects to the subservices using a Network Configuration (NETCONF) protocol or a Representational State Transfer (REST) Configuration (RESTCONF) protocol.
 7. The method of claim 1, wherein each of the health states respectively indicates either a passing health state or a failing health state.
 8. The method of claim 1, wherein each of the health states respectively indicates a health state within a range of health states including a passing health state, a failing health state, and a degraded health state that is not a passing health state or a failing health state.
 9. The method of claim 1, wherein the subservices include one or more of: operations performed by network devices in the network; communication behavior of interfaces of the network devices; layer 1 (L1) network connectivity configured on the network devices, layer 2 (L2) network connectivity on the network devices, or layer 3 (L3) network connectivity on the network devices; packet routing protocols on the network devices; and logical network functions.
 10. A system comprising: one or more network interface units; and one or more processors coupled to the one or more network interface units and configured to provide assurance for a service on a network by: receiving a definition of the service, the definition including a service type, a service instance, and configuration information used to enable the service; generating from the service type and the service instance a service tag that is unique to the service so as to distinguish the service from other services on the network; based on the definition, decomposing the service into a subservice dependency graph of subservices and dependencies between the subservices that collectively enable the service; based on the subservice dependency graph, configuring the subservices to record and report subservice metrics indicative of health states of the subservices by: generating monitoring objects that include the service tag and subservice identifiers, and define the subservice metrics the subservices are to record and report; and providing the monitoring objects to the subservices to configure the subservices to record and report the subservice metrics; based on providing the monitoring objects to the subservices, receiving, from the subservices, telemetry objects that include the subservice metrics, the service tag, and the subservice identifiers; applying the service tag to the subservice metrics to produce service-tagged subservice metrics; and analyzing the service-tagged subservice metrics to determine a health state of the service.
 11. The system of claim 10, wherein the one or more processors are configured to perform the analyzing by: associating the service-tagged subservice metrics with the service based on the service tag of the service-tagged subservice metrics; and determining the health state of the service based on the health states of the subservices.
 12. The system of claim 10, wherein: the subservice dependency graph includes a service node at a highest level of the subservice dependency graph, and the service node includes the service tag.
 13. The system of claim 10, wherein the one or more processors are configured to perform the generating the monitoring objects by: generating heuristic packages that (i) specify the subservice metrics that the subservices are to record and report, and (ii) include rules to compute the health state of the subservices based on the subservice metrics; and generating the monitoring objects based on the heuristic packages.
 14. The system of claim 13, wherein the one or more processors are configured to perform the analyzing by: computing the health states of the subservices from the service-tagged subservice metrics in accordance with the rules in the heuristic packages; and determining the health state of the service based on the health states of the subservices.
 15. The system of claim 10, wherein the monitoring objects are configured according to a Yet Another Generation (YANG) model, and the providing the monitoring objects to the subservices includes pushing the monitoring objects to the subservices using a Network Configuration (NETCONF) protocol or a Representational State Transfer (REST) Configuration (RESTCONF) protocol.
 16. The system of claim 10, wherein each of the health states respectively indicates either a passing health state or a failing health state.
 17. The system of claim 10, wherein the subservices include one or more of: operations performed by network devices in the network; communication behavior of interfaces of the network devices; layer 1 (L1) network connectivity configured on the network devices, layer 2 (L2) network connectivity on the network devices, or layer 3 (L3) network connectivity on the network devices; packet routing protocols on the network devices; and logical network functions.
 18. Non-transitory computer readable media encoded with instructions that, when executed by one or more processors coupled to one or more network interface units, cause the one or more processors to perform assurance for a service on a network by: receiving a definition of the service, the definition including a service type, a service instance, and configuration information used to enable the service; generating from the service type and the service instance a service tag that is unique to the service so as to distinguish the service from other services on the network; based on the definition, decomposing the service into a subservice dependency graph of subservices and dependencies between the subservices that collectively enable the service; based on the subservice dependency graph, configuring the subservices to record and report subservice metrics indicative of health states of the subservices by: generating monitoring objects that include the service tag and subservice identifiers, and define the subservice metrics the subservices are to record and report and providing the monitoring objects to the subservices to configure the subservices to record and report the subservice metrics; based on providing the monitoring objects to the subservices, receiving, from the subservices, telemetry objects that include the subservice metrics, the service tag, and the subservice identifiers; applying the service tag to the subservice metrics to produce service-tagged subservice metrics; and analyzing the service-tagged subservice metrics to determine a health state of the service.
 19. The non-transitory computer readable media of claim 18, wherein the instructions to cause the one or more processors to perform the analyzing include instructions to cause the one or more processors to perform: associating the service-tagged subservice metrics with the service based on the service tag of the service-tagged subservice metrics; and determining the health state of the service based on the health states of the subservices.
 20. The non-transitory computer readable media of claim 18, wherein: the subservice dependency graph includes a service node at a highest level of the subservice dependency graph, and the service node includes the service tag. 